Information security demands a layered approach in IP SANs.As the need for information storage and backup continues to rise exponentially, many companies have migrated away from Fibre Channel SANs and NAS (1) See network access server. (2) (Network Attached Storage) A specialized file server that connects to the network. A NAS device contains a slimmed-down operating system and a file system and processes only I/O requests by supporting the popular and begun investigating and implementing cost-effective IP SANs. IP SANs are storage networks connected over IP networks with information packets being sent within a SCSI command In SCSI computer storage, a command is the basic unit of communication. The SCSI command architecture was originally defined for parallel SCSI buses but has been carried forward with minimal change for use with Fibre Channel, iSCSI and Serial Attached SCSI. between an iSCSI initiator and iSCSI target. The average company has an IP-based infrastructure already in place and established IT guidelines, making the implementation of an IP SAN easy and affordable. However, specifically because IP SANs may use the Internet (hailed as the world's quintessential open medium for information and idea exchange) some companies hesitate. Send confidential company information via the Internet? Is it secure? How do I know that the right people will get the right information? How do I identify the "right" people? These are legitimate questions that some insight into the available Internet, iSCSI and SAN technologies can answer. An IP SAN includes four layers: * LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used. perimeter * Inter-LAN communications * Initiator authorization * Initiator authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. IP SAN security is not left to any single layer, as an iSCSI command makes its way through each of the four layers. How to protect them is the question. IP SAN Overview An IP SAN has three main types of components: storage devices, hosts and switches. The storage devices and hosts sit at opposite ends of the SAN and are connected in the middle through the IP network switches. iSCSI initiators in the host connect through the IP switch to iSCSI targets in the storage devices to access information. IP SAN-enabling products (software, hardware or a combination) deliver virtualization An umbrella term for enhancing a computer's ability to do work. Following are the ways virtualization is used. Hardware Virtualization Partitioning the computer's memory into separate and isolated "virtual machines" simulates multiple machines within one physical computer. of physical storage into customized, sizable virtual volumes. Virtualization can increase security in an IP SAN by enabling unique partitioning of physical storage and applying rules for access to each partition. Intelligent IP SAN switches sit in the data path between the storage devices and the IP network switch. The LAN Perimeter The first layer of protection in an IP SAN is the wall separating the internal network or Local Area Network (LAN) from the outside networks. This wall is the gateway through which information enters and leaves the LAN. Controlling this perimeter controls information access and flow. A firewall usually sits on the perimeter between the internal and external networks. A firewall provides traffic control between these two networks and can be closed to stop all traffic flow or selectively opened at specific locations to allow specific IP traffic through. The iSCSI initiator login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. attempt trying to pass through the firewall must be on the firewall's list of IPs allowed to cross the firewall. If it is, it also must enter through the correct port and be of the correct protocol. All firewalls should also have some method for authentication. The switch supports alternate iSCSI communication port configurations. A port other than the standard iSCSI port can be used for iSCSI communications, making unauthorized login attempts harder. Inter-LAN Communications If a LAN is closed to outside networks, information will be more secure. However, most companies need to be connected to outside networks. Isolation isn't an option. When information crosses through the private/public border, it can lose the security it enjoyed in a LAN. One cannot build a wall around information as it travels between networks; however, it is possible to create secure tunnels and safeguard the information during its journey. A Virtual Private Network (VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. ) creates a secure transport tunnel for data in motion between two LANs using high-level encryption. A VPN appliance is placed at the public/private border of each LAN. Encryption keys and groups are then configured for point-to-point encryption decoding to guard against eavesdropping Secretly gaining unauthorized access to confidential communications. Examples include listening to radio transmissions or using laser interferometers to reconstitute conversations by reflecting laser beams off windows that are vibrating in synchrony to the sound in the room. . When the iSCSI initiator login attempt passes through the firewall and travels to another LAN, it is encrypted by the VPN as it leaves its LAN and is decoded by the VPN at the entrance to the second LAN. Intelligent IP SAN switches support VPN tunneling appliances and methods, allowing information flowing through the switch to be encrypted during 'public' travel between LANs. The iSCSI initiator login attempt that made it successfully through the firewall arrives securely to the switch's LAN. iSCSI Initiator Authorization So far, security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security have taken place in two layers of your IP SAN. An iSCSI initiator login attempt has qualified for access at each network layer. It is now at the specific iSCSI target device. Does the device allow anyone who can find it to log in? At this point, each device is on its own. Certain devices support the creation of an Access Control List (ACL See access control list. 1. ACL - Access Control List. 2. ACL - Association for Computational Linguistics. 3. ACL - A Coroutine Language. A Pascal-based implementation of coroutines. ["Coroutines", C.D. ) for a target to establish which iSCSI initiators are allowed or denied access to it. Besides determining which iSCSI initiators can access the device, the type of access can also be set: read-write or read-only. At the switch layer, ACL configurations are supported on a per-target per-initiator basis. The switch ACL uses the iSCSI initiator's WWUI WWUI Wireless Web User Interface (world wide unique identifier With reference to a given (possibly implicit) set of objects, a unique identifier is any identifier which is guaranteed to be unique among all identifiers used for those objects and for a specific purpose. ) to identify it. More than one initiator can be allowed access to a target and each initiator's access rights can be independently configured. Access to a target can also be denied to an iSCSI initiator. iSCSI Initiator Authentication An iSCSI initiator login attempt seems to come from an ACL-approved source. But how do we know that the iSCSI initiator realy is who it says it is? How do we know it isn't an impostor? What if our club--the iSCSI target--has a secret handshake A secret handshake is a series of hand gestures that indicate loyalty to a club, clique, or subculture. The purpose of the secret handshake is to identify exclusive group members, and consequently to prevent inclusion of outsiders. that all members need to know to gain admittance Admittance The ratio of the current to the voltage in an alternating-current circuit. In terms of complex current I and voltage V, the admittance of a circuit is given by Eq. (1), and is related to the impedance of the circuit Z by Eq. (2). ? Something more elaborate and foolproof than "I know Dave." Challenge-Handshake Authentication Protocol (networking, security, standard, protocol) Challenge-Handshake Authentication Protocol - (CHAP) An authentication scheme used by PPP servers to validate the identity of the originator of the connection upon connection or any time later. (CHAP) is an authentication protocol that can be used to authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. iSCSI initiators at target login. The iSCSI target server sends an encrypted user name and password challenge to the initiator. The initiator must answer the challenge. Without the correct answer, the iSCSI session login attempt is terminated. The IP SAN switch ACL supports CHAP and SRP SRP - A data link layer protocol. authentication for its iSCSI targets. The user name and password are configured and stored on the switch. As an additional safety measure, the switch includes a RADIUS client for supporting a RADIUS server. Instead of storing the user name and password together on the switch, the user password can be stored on the RADIUS server. IP SANs answer the growing need for more cost-effective and secure SAN implementations. Using readily available IP security technologies, data transfer over the IP network is secure without increasing the cost of ownership of an IP SAN. IP SAN switches add initiator authorization and authentication to your existing security measures. IP Security encryption technologies are due to be incorporated into next-generation intelligent switches to provide for full data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign within the LAN. Additionally, look to future switches including technologies to protect your data against even theft of the physical storage disks. Zophar Sante is vice president, market development, at SAN-RAD, Inc. (Silicon Valley, CA) www.sanrad.com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion